Perry Carpenter - The Security Culture Playbook

The Forrester Consulting study also found that security leaders are overconfident that they have a good security culture. That's obviously not a good thing. Overconfidence means they believe that they've got things under control. These leaders have a semblance of security in their mind, and yet they're leaving themselves extremely vulnerable. They are, quite literally, operating under a false sense of security.

There's a phrase that I, Perry, have said for years: “A security culture already lives and breathes in every organization. The question is really, how strong, intentional, and sustainable is that security-related aspect of your organizational culture? And what do you need to do about it?”

A security culture already lives and breathes in every organization. The question is really, how strong, intentional, and sustainable is that security-related aspect of your organizational culture? And what do you need to do about it?

There are already embedded security-related attitudes, beliefs, values, behaviors, and social norms in every organization. Your goal as a leader is to be intentional about how you pinpoint and measure security-related aspects of the culture and how you intentionally shape those aspects. That means you must be proactive about security culture management. You need to understand how that can become part of your larger organizational culture management initiatives. Ultimately, you want security beliefs, values, behaviors, and social pressures woven all throughout the fabric of your larger organizational culture. The takeaway here is that you already have a security culture. What are you going to do with (or about) it?

You can't treat security culture as a black box topic. Security culture does not exist as an entity unto itself. You already have a security culture, whether you like it or not and whether it is good or not. Security culture is inexorably intertwined within your larger organizational culture. The question you need to deal with is what are you going to do with (or about) these security-related aspects of your larger organizational culture?

It's your move.

Security and business leaders are realizing that humans are a critical layer within their security programs.

Recognizing humans as an important layer in your security program does not negate the importance of technical defenses.

The question isn't whether or not you have a security culture; it's how you need to engage it.

Leaders agree that security culture is a critical aspect of risk reduction, but there is little agreement on what constitutes a good security culture.

Security leaders are often overconfident in the maturity of their security culture, resulting in a false sense of security.

This book will give you the necessary information and tools to begin shaping your security culture.

Management is efficiency in climbing the ladder of success; leadership determines whether the ladder is leaning against the right wall.

Stephen Covey

Let's be honest—no organization will ever be fully secure. Security is a management process. It's the process of managing all the risks and threats that arise minute by minute, hour by hour, and day by day. You are never done. You can be more secure than you were yesterday, but you never arrive. You're always a zero-day threat, misconfiguration, or employee-related incident away from being less secure than you were just a minute ago.

This is a critical concept for organizational leaders and their boards of directors. So, if you are one of those leaders, or if you have influence over one of those leaders, read on. This chapter will serve as an overview of why security culture and your human-layer defenses deserve attention at the highest levels of your organization. And, while we don't want to be fear mongers or party killers, we will also briefly discuss the cost of ignoring your security culture or taking it for granted. Lastly, we'll point you to some valuable resources that you can begin using right away.

If there is one good thing that comes from all the media reporting about cyber breaches around the world, it is that virtually every organization now recognizes the need to shore up their cyber defenses. Along with that recognition comes the need to communicate clearly throughout the executive team and board of directors about the organization's risks and cyber readiness. This isn't to say that every member of the board of directors and executive team needs to become an expert in cybersecurity in addition to their current expertise, but they do need to become experts in understanding the risks that cyber-related events might have on the business.

Risk is the key word. Executives manage based on risk, reward, and opportunity. Conversations about security for the sake of security will have limited value. They might be interesting, but they aren't particularly useful. Useful conversations are those that provide context about how cybersecurity concepts and decisions might impact the business, either positively or negatively.

Here's a way of framing conversations we've found works for making virtually any topic understandable and relatable at an executive level. Think of it as a simple filter or formula you can use to improve your executive communication:

Information informs your story/narrative, which is then interpreted clearly and honestly via the metrics and anecdotes you use, leading to insights and future direction. We know that formula might feel obvious; you might have even thought something along the lines of, “Well, duh!” But now be honest with yourself and remember that you (like most people) very likely tend to try to dazzle with details. And that's the problem. Stories might include details, but details are not stories. Context might include details, but details don't provide context on their own. Any time you provide a data point, you need to clearly state what that means and why that matters in the grand scheme of things. This is where most security executives fail.

If you aren't clearly telling your own story and articulating what your data and details imply, then your audience is left to interpret things for themselves. They form an alternate story in their minds, and that's not usually to your benefit.

If you aren't clearly telling your own story and articulating what your data and details imply, then your audience is left to interpret things for themselves. They form an alternate story in their minds, and that's not usually to your benefit.

They make assumptions, and those assumptions might not align with reality. That's why it's so important to have a clear understanding of the information you need to share and the story that it tells. After you understand your information and broader narrative, you can work on underpinning that story with relevant metrics and anecdotes. And then you can point back to your metrics, anecdotes, and story to bring your audience to the ultimate conclusions. This is your chance to celebrate your successes, set future expectations, gain feedback, solicit support, and more.

When it comes to cybersecurity, there is a story about securing your organization's future by providing long-term resilience and sustainability. And, yeah, there are certainly aspects of that story that are technology-centric, but there are also many, many aspects that are people-centric. When leaders hyper focus on the technology side of the story, they risk forgetting that technology is only part of the equation. And they risk forgetting that humans are at the center of everything.